CERTIFIYING AUTHORITY AND DIGITAL SIGNATURE CERITICATE

The need for a CA and "Digital Signature certificate"

To verify a digital signature, the verifier must have access to the signer's public key and have assurance that it corresponds to the signer's private key. However, a public and private key pair has no intrinsic association with any person; it is simply a pair of numbers.

As electronic commerce grows on the Internet, where significant transactions will occur among strangers who have no prior contractual relationship and may never deal with each other again, the problem of authentication/nonrepudiation becomes big.

The solution to these problems is the use of one or more trusted third parties to associate an identified signer with a specific public key. That trusted third party is referred to as a "Certifying Authority" (CA). The CA will be given licence to issue "Digital Signature certificate"(u/s24).

To associate a key pair with a prospective signer, a CA issues a "Digital Signature certificate"(u/s35), an electronic record which lists a public key as the "subject" of the certificate, and confirms that the prospective signer identified in the certificate holds the corresponding private key. The prospective signer, in whose name the certificate is issued, is termed the "subscriber"(u/s2).

A certificate's principal function is to bind a key pair with a particular person.

To assure both message and identity authenticity of the certificate, the certification authority digitally signs it. The issuing certification authority's digital signature on the certificate can be verified by using the public key of the certification authority listed in another certificate by another certificate authority (which may but need not be on a higher level in a hierarchy), and that other certificate can in turn be authenticated by the public key listed in yet another certificate, and so on, until the person relying on the digital signature is adequately assured of its genuineness.

Appointment of Repository

To make a public key and its identification with a specific subscriber readily available for use in verification, the certificate will be published in a repository or made available by other means. U/s 20the Controller appointed by the Central Government will act as repository. Repositories are on-line databases of certificates and other information available for retrieval by public and use in verifying digital signatures.

Suspension of Digital Signature Certificate.

37. (1) Subject to the provisions of sub-section

(2), the Certifying Authority which has issued a Digital Signature Certificate may suspend such Digital Signature Certificate,-

(a) on receipt of a request to that effect from -

(i) the subscriber listed in the Digital Signature Certificate; or

(ii) any person duly authorised to act on behalf of that subscriber;

(b) if it is of opinion that the Digital Signature Certificate should be suspended in public interest

(2) A Digital Signature Certificate shall not be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter.

(3) On suspension of a Digital Signature Certificate under this section, the Certifying Authority shall communicate the same to the subscriber.

It is important to know as a user of digital signature the following two sections of the Act :

Clause 29.- This clause provides that the Controller or any person authorised by him. if lie has reasonable cause to suspect that contravention of the provisions of the Act or the rules or regulations is being committed, shall have access to any computer system, data or any other material connected with such system. Clause 68.- This clause empowers the Controller, if he is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order to intercept any information transmitted through any computer system or computer net work. The successful implementation of the digital signature in day to day activities will involve costs of buying of software ,to pay to get the certificate, to get verifying software, to pay to check repositories records, institutional costs of CA, repository and controller.

© Zarana Khona 2000 e-mail : zarana@indiaitlaw.com